Why Enumeration Is The Early Stage?

Enumeration is the part which most of the new learners skip and they come to know it’s importance only when they work with the companies. The Enumeration contains around 50% of total security testing, hacking and any system/server exploitation. In the enumeration phase, attackers or security researchers try to gain every single detail of the user, which helps them to create a system backdoor and their exploits which further aids to bypass the security.

although Enumeration techniques are conducted in an intranet environment. After successful completion of this phase, an attacker may have information like username, passwords, active dictionary, user groups, open ports, running services, service versions and operating system. There are some common tools for Enumerate such as Enum4linux, Nmap, dirbuster.

Enumeration Techniques:

  1. Extract username using E-Mail ID. Mostly users use their Email address username as an account username.
  2. Extract account information using default passwords. Sometimes users use very common passwords for their accounts like pass123, password123, admin.
  3. Extract username using SNMP. Attacker extracts network resources information such as shares, devices, routers, hosts and network information such as routing tables, traffic, ARP tables.
  4. Brute Force active directory. Attacker finds active directories by Brute Force thus using default Directories names.
  5. Extract Network Information using NetBIOS. Attacker thus finds sharing list on the individual hosts, Policies, passwords.
  6. Extract information using DNS Zone transfer. Attackers can however gather network information like hostname, machine name, server name and usernames.

Types of information enumerated by intruders:

  • Network Resource and shares
  • Users and Groups
  • Routing tables
  • Auditing and Service settings
  • Machine names
  • Applications and banners
  • SNMP and DNS details

Ports and Services to Enumerate: 

25 – TCP

Simple Mail Transfer Protocol (SMTP)

53 – TCP/UDP

DNS Zone Transfer

135 – TCP/UDP

Microsoft RPC Endpoint Mapper

137 – UDP

NetBIOS Name Service

139 – TCP

NetBIOS Session Service

161 – UDP

Simple Network Management Protocol (SNMP)

162 – TCP/UDP

SNMP Trap

389 – TCP/UDP

Lightweight Directory Management Protocol (LDAP)

445 – TCP/UDP

SMB over TCP (Direct Host)

3268 – TCP/UDP

Global Catalog Service

Enumeration at time of Penetration Testing:

1. Find the Network Range (Tool: – WhoIs Lookup) 
2. Calculate Subnet mask (Tool: -Subnet Mask Calculator)
3. Undergo host Directory (Tool: – Nmap {nmap -sP})
4. Perform Port scanning (Tool: – Nmap {nmap -p})
5. Perform NetBIOS Enumeration (Tool: – Superscan, Hyena, Winfingerprint)
6. Perform SNMP Enumeration (Tool: – OpUtils)
7. Perform NTP Enumeration (Tool: – ntptrace, ntpdc)
8. Perform SMTP Enumeration (Tool: – NetscanTools Pro)
9. Perform DNS Enumeration (Tool: – NSLookup)

SMTP Enumeration:

SMTP stands for ‘Simple Mail Transport Protocol’ which is used to send electronic mail but this protocol is only used at the time of sending. For receiving we have to use POP3 or IMAP protocol. The SMTP port number is 25 which is open most of the time and helps attackers to enumerate and  to determine valid users information on the SMTP server. The built-in SMTP commands helps to do this, they are-

  1. VRFY – This command is thus used for validating users.
  2. EXPN – This command tells the actual delivery address of aliases and also mailing lists.
  3. RCPT TO – It also defines the recipients message.

Countermeasures:

  1. It however Configures SMTP servers to ignore email messages to unknown recipients.
  2. though Disable open relay feature.
  3. however, Do not include information like mail relay systems being used, Internal IP address or host information.

written by: Nikhil Mehra

Reviewed By: Sayan Chatterjee

If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs

Leave a Comment

Your email address will not be published. Required fields are marked *